Privacy
News Highlights
26 October—02 November 2006
Contents:
UK – UK Government
Advisor Urges Biometrics Caution
WW – Voice Biometrics Coming to Phone Banking
WW – Twenty-Four Countries Meet Visa Waiver Program
ePassport Deadline
CA – Ontario Police Officer Wins Award for Biometric Tech
Innovation
CA – Harper Government Announces Details of Passenger
“No-Fly” Program
CA – Alberta Privacy Commissioner Orders Cops to Disclose
Criminal Record Searches
CA – Internet Shopping Popular But Canadians Consumers
Wary of Privacy and Security
QC – Quebec Places Moratorium on E-Voting Machines
AU – Australia Nets First Conviction Under Spam Act
WW – Microsoft Makes Sender ID Part of its Open
Specifications Promise Program
US – Report: Sharing of Health Information Progresses,
But Privacy Lags
WW – Mobile Security / Encryption Products Unveiled
EU – Czech Republic Bestows Big Brother Awards for the
Second Time
WW – PI Report: Germany, Canada Global Leaders In Privacy
Protection
WW – Privacy International and EPIC launch Privacy and
Human Rights Global Study
US – E-Trade Loses $18 Million to Cyberfraud In Last 90
Days; Industry-Wide Outbreak
UK – Britain’s Data Protection Chief Warns Banks About
Dumping Financial Records
CA – Nova Scotia Ex-FOI Officer Wants to Reduce or Scrap
Fees
US – DNA Database Increasingly Being Used for Property
Crimes
UK – Warning Over Privacy of 50 Million Patient Files
AU – Australian University Privacy Gaffe
US – Missing Computer Holds Personal Data on More than 1
Million Colorado Residents
US – Security Breach News Roundup
UK – Report: ID Theft to Double By 2010
US – FTC: College Students Higher Risk of ID Theft
CA – Proposed Federal Changes Mean ID Cards at Voting
Booths
CH – One Million Chinese ID Numbers are Duplicates
US – Microsoft Office Joins Windows in Genuine Advantage
Program
UK – Group Calls for Copyright Reform to Allow Personal
Copies
WW – New Firefox 2.0 Anti-Phishing Tool Unleashes Privacy
Criticisms
WW – Spoofing Bug Found in IE 7
US – Boarding Pass Hacker Arrested
CA – Canadian Businesses Outsourcing to Remain
Competitive In Global Markets
US – Groups Urge FTC to Investigate Online Consumer
Tracking
HK – HK Personal Data Leak Breaches Privacy Law
NZ – New Zealand Will Review Privacy Laws
US – ACLU Drops Lawsuit Challenging Patriot Act
US – Ponemon: Sarbanes-Oxley to Blame for HP Pretexting
US – Schwarzenegger Camp Mines Consumer Data to Target
Supporters
US – US Government ‘Disavows’ Scathing DHS Committee RFID
Privacy report
US – RFID Credit Cards Transmit Personal Data in
Plaintext
EU – RFID Industry Panelists: RFID Industry Should
Self-Regulate
WW – Study: People, Processes More Integral to Security
Than Products
UK – UK Privacy Chief Release Report on Surveillance
US – Army Monitors Soldiers’ Blogs, Web Sites
US – Auto Black Boxes Spark Uproar: Feds Asked to Rewrite
the Rules
US – AT&T Launches Video Monitoring Service
US – Segregation of Data Urged for Real ID Act
Information
US – Three New York State ID Theft Laws Now in Effect
US – Sen. Clinton Seeks To Protect Children >From ID Theft
CA – Alberta Labour Opposes Workplace Drug Testing
A senior Home Office advisor
has warned that more work is needed before biometrics can be widely used in
nationwide systems ZDNet UK reported on 20 October 2006 that Marek
Rejman-Greene, a senior biometric advisor for the Home Office scientific
development branch, said that much more research into usability is needed
before any major roll out. “I’m surprised how little we know about how people
interact with this technology,” said Rejman-Greene, appearing on a panel
discussion at the Biometrics 2006 show in London. “We don’t have any idea of
the right things to do. We need more research about how people confront this
technology, especially if the process goes wrong.” [Source]
RSA Security has unveiled a
product that uses voice biometrics to allow automated telephone banking
services to identify users. The product issues a risk score be analyzing the
voiceprint along with other information. High-risk scores generate another
layer of security, such as secret questions. [Source]
All but three of the 27
countries participating in the US Visa Waiver Program (VWP), which allows
citizens to visit the US without a visa, have implemented e-passports with
embedded biometric data. The US Department of Homeland Security (DHS) set
October 26, 2006 as the deadline for countries to comply with the ePassport
requirement if their citizens wish to continue to take advantage of the VWP.
Otherwise, people will need a visa to visit the US. DHS says it will work with
the remaining three countries, Andorra, Brunei and Liechtenstein, to help them
comply with the requirements. The VWP applies to most citizens of participating
countries who are visiting the US for 90 days or less. [Source] [Source] [Source]
The York Regional Police tech
crimes officer piloting an innovative biometrics software program for child
pornography cases has received an award for his work. Constable Phil
Shrewsbury-Gee’s work with LACE (Law Enforcement Against Child Exploitation)
software garnered him an award at a law enforcement appreciation dinner last
week. LACE gives the force’s technological crimes unit the ability to input
thousands of child porn pictures into a computer and match similar images with
existing software used to identify faces of criminals. York Regional Police was
the first police agency in the world to start using the program. Additional
police agencies will be a part of a second phase of the pilot project, which is
expected to start over the next few weeks. [Source]
Lawrence Cannon, Minister of
Transport, Infrastructure and Communities, together with Stockwell Day,
Minister of Public Safety, today announced further details and draft
regulations related to Canada’s air passenger assessment program, known as
Passenger Protect. Under the Passenger Protect program, the Government of
Canada will create a list of specified persons who may pose an immediate threat
to aviation security should they attempt to board a flight. Excerpts: “... As a
result of the consultations conducted to date, Transport Canada has committed
to establishing a reconsideration process to provide a non-judicial, efficient
way for any member of the public who has been affected by the program to have
their case reviewed by persons independent of those who made the original
recommendation.” .. “Transport Canada is ... working closely with the Office of
the Privacy Commissioner in order to further strengthen the privacy provisions
of the program prior to its implementation for Canadian domestic flights in
early 2007. The program will be extended to international flights to and from
Canada later that same year.” … “To allow for implementation of the program,
the Government of Canada is also proposing new Identity Screening Regulations
that would require air passengers to present government-issued identification
that shows name, date of birth, and gender before boarding an aircraft. This
practice would be consistent with procedures currently in use by most major
airlines... The proposed regulations will be published in the Canada Gazette,
Part I on October 28, 2006. From that date, there will be a 75-day period for
interested parties and the public to provide comments.” A Backgrounder on the
Passenger Protect program and the proposed Identity Screening Regulations was
also released. [Source]
[Canada
to Create a No-Fly List] [Air
security boss concedes gaps in agency’s coverage] [Source]
[Source]
Police have to assist people
wanting to know if officers have looked up their names in criminal databases,
unless it would hurt law enforcement, Alberta’s privacy commissioner has ruled.
In two separate cases, a journalist and a lawyer asked the Edmonton Police
Service if any officers had run their names through police databases looking
for previous arrests or criminal records. Both times, the department refused to
answer the request, claiming that revealing the information would hurt law
enforcement. In a decision released Monday, Information and Privacy
Commissioner Frank Work ruled that police will have to answer both requests. [Source]
Canadians ordered just over
$7.9 billion worth of goods and services over the Internet for personal or
household consumption in 2005. But Statistics Canada says despite the fact
Canadians placed almost 50 million orders online, e-commerce still represented
a small fraction of the $762 billion spent on goods and services last year.
Almost seven million Canadians aged 18 and over placed orders online in 2005,
while slightly over nine million logged on to browse, or do some virtual
“window shopping.” Those making online purchases represented about 41 per cent
of all adults who used the Internet in 2005. [Source]
[Source]
Quebec’s chief electoral
officer has given a vigorous “nay” to electronic voting in future municipal
elections in a report dissecting last autumn’s problem-plagued electronic vote
in 140 cities and towns. The report, tabled in the National Assembly,
criticizes everything from the voting machines, which were provided by three
suppliers and made by different manufacturers, to the personnel who handled
them and the training they received. [Source]
[Electronic
voting blamed for Quebec municipal election ‘disaster’]
[Virginia
Legislators call for Paper Voting Records] [US Voting
Integrity Group Recommends Measures for Election Day] [Background] [Background] [Background] [Background]
[Background]
Australia has seen its first
conviction under its stringent Spam Act of 2003. Clarity1 Pty Ltd was fined
AUD$4.5 million (US$3.46 million) and its director, Wayne Mansfield, AUD$1
million (US$768,000) for sending 280 million unsolicited commercial emails over
the course of two years. Approximately 25 percent, or 73 million, of the
messages were delivered successfully. Australia’s Federal Court has also banned
Clarity1 from sending unsolicited email in the future. [Source]
Microsoft will make its Sender
ID email authentication technology publicly available as part of its Open
Specifications Promise program. This means that “users will be able to
implement, commercialize and modify Microsoft’s patented email authentication
technology without having to sign a licensing agreement” and without fear of
being sued by Microsoft. Microsoft views the decision as a step in the
direction of promoting interoperability within the industry. [Source]
[Source]
[Source]
Strides have been made in the
past year since a U.S. federal advisory committee made recommendations about
how health information could be shared in the context of a national e-health
records system. The government has followed through on adoption of eight of the
committee’s 14 recommendations. However, the government has yet to take steps
to prevent patients from suffering discrimination based on the release of
medical records – even if the release of the records was illegal. Criminal
sanctions for privacy violations also have not been adopted. Meanwhile, several
health IT bills related to the commission’s recommendations have stalled in
Congress. [Source]
[Report]
[Standards Panel
Delivers Interoperability Specifications to Support Nationwide Health Information
Network]
1. Hard drive maker brings
encryption to device level: Seagate’s DriveTrust promises to lock down data in
the hardware, rather than through firewalls or software. Dubbed DriveTrust
Technology, encryption is integrated directly into the drive itself. Most other
encryption technologies reside in a separate application or as part of the
operating system. [Source]
2. Securing Data on the Move with Cryptainer: Carry your files
with you, but make sure they’re also encrypted and safe with this nifty tool
from Cypherix. While looking for some encryption software that was relatively
portable, highly secure and allowed encryption of data on USB flash drives and
CD/DVD ROMs, [Source] 3.
Aladdin Knowledge Systems, an Israel-based international data security company,
has on Monday unveiled eToken user authentication device, which enables users
to safely carry their personal digital credentials with them and log on to
company networks using a USB key without the use of traditional passwords,
which carry with them great risk. “The concept is just like you have a key for
your home and a key for your car, now you have a key for your data,” said the
Aladdin CEO. [Source]
On Monday in Prague the Big
Brother Awards for the most egregious data privacy transgressions in the Czech
Republic were bestowed for the second time. For retaining indefinitely the data
of its former customers and even of people who have merely made an inquiry with
the lending institution the “Komercní banka” (which freely translates as
“Commercial Bank”) was deemed the “Worst Commercial Intruder.” [More] The “Biggest
State Intruder,” was bestowed upon the country’s Minister of Finance Bohuslav
Sobotka. Anyone who wants to do business in the Czech Republic must apply for a
taxpayer reference number. This number is identical to the identity number that
every Czech national receives -- and retains throughout his or her life. The
International Award went to the U.S. surreptitiously gathering financial
transactions data supplied by the [More] transaction
services provider SWIFT as well as for the country’s controversial flight
passenger data collection scheme that applies to all passengers flying to the
United States. [More]
The jury found the most dangerous new technology from a data-privacy
protection angle to be that
introduced by the Czech Federal Railway Company. The company is banking on
“In-Karta,” an RFID-based ticket that makes it possible to track the movement
of passengers. The title Big Brother law of the year went to the Data Retention
Directive in force in the Czech Republic since the autumn. The winner of the
award for the “most ridiculous argument against data protection” was Milos
Titz, the erstwhile deputy chairman of the Parliamentary Committee on Defense
and Security. Six months ago Mr. Titz came out in public with the following
statement: “If I don’t do anything bad I have nothing to fear.” Alas, the
Social Democratic Member of Parliament is not alone in adopting this attitude
toward data privacy protection. [Robert W. Smith]
London-based Privacy
International has ranked 37 countries for their records on privacy protections.
Topping the list was Germany, followed by Canada. The U.S. was No. 30 on the
list. Britain ranked 33. The worst privacy records were Malaysia and China,
according to the group. The group assesses a number of criteria, including
whether the country has a constitution that specifically mentions privacy, its
use of electronic surveillance and what impact it has as a global privacy
leader. [Source]
[Report]
The Electronic Privacy
Information Center and Privacy International have released the Privacy &
Human Rights Report 2006, which surveys developments in 70 countries, assessing
the state of technology, surveillance and privacy protection. The most recent
report published in 2006 is probably the most comprehensive single volume
report published in the human rights field. The report runs to almost 1,200
pages and includes about 6,000 footnotes. More than 200 experts from around the
world have provided materials and commentary. The participants range from law
students studying privacy to high-level officials charged with safeguarding
constitutional freedoms in their countries. Academics, human rights advocates,
journalists and researchers provided reports, insight, documents and advice.
This year Privacy International took the decision to use the report as the
basis for a ranking assessment of the state of privacy in all EU countries together
with eleven benchmark countries (see above). PI hopes to publish the rankings
on an annual basis. [Source]
Hackers have radically
increased their attacks on online brokerage accounts, making millions of
dollars of unauthorized trades. The fourth largest online brokerage, E-Trade
Financial reported that organized groups in Eastern Europe and Thailand are
responsible for losses exceeding $18 million in the last three months alone.
Customer account fraud has also been reported by TD Ameritrade, the third
largest online broker. [Source]
Information Commissioner
Richard Thomas is warning banks to stop the “thoroughly unacceptable” practice
of dumping financial records. Thomas is investigating a growing number of cases
in which banks have discarded records that potentially pose an identity theft
threat to customers. Thomas has the power to issue an enforcement notice to
banks that would require them to show how they are protecting customers. [Source]
The province’s former review
officer for the Freedom of Information and Protection of Privacy Act is urging
politicians in the legislature to reduce or scrap fees charged for requests.
Darce Fardy, who has organized a group called the Right to Know Coalition, said
Monday that the act’s $25 application fee and $25 appeal fee are the highest in
the country and are allowing the government to keep public information under
wraps. “The fees are a deterrent,” Mr. Fardy said in an interview. Mr. Fardy,
who retired as Nova Scotia’s review officer earlier this year, said his
coalition has sent letters to Justice Minister Murray Scott, along with the NDP
and Liberals. “It’s a fundamental right,” Mr. Fardy said. “You can’t have good
government without open government and the secrecy that surrounds the
bureaucracy. [Source]
EPIC reports that the FBI's
database of criminal DNA, CODIS (Combined DNA Index System), which was created
to help solve violent crimes such as rape and murder, is increasingly being
used in burglaries and other property crimes. In 10 states -- Alabama, Florida,
Indiana, Michigan, Missouri, New Mexico,Ohio, Oregon, Virginia and Wisconsin --
the total number of DNA matches in property crimes cases has exceeded the
number of matches in violent crimes. Some experts attribute the rise in
property crime matches to increasingly sophisticated DNA testing and the fact
that government funds for DNA analysis, once limited to testing matches in violent
crimes, can now be used in property crimes. For 17 years, the states, federal
government, and military have collected DNA from those convicted of felonies
(more recently, some states have begun collecting DNA samples from people
convicted of misdemeanors or arrested for certain felonies). The database
contains profiles from approximately 3.5 million people. [Source]
Questions are being raised
about the lack of safeguards to prevent access to medical records stored on a
computer that will automatically collect the health files directly from
physicians and hospitals. Billed as the world’s largest civilian IT project,
the British Medical Association takes the position that “the government should
get the explicit permission of patients before transferring their information
on to the central database.” However, the health department’s IT agency has
said that patients will not be allowed to object to their information being
added to the database. Once the data is loaded, patients can add an electronic
flag to their records. The system is expected to launch next year, but key
details have not yet been worked out, including a mechanism to allow patients
to restrict access to sensitive aspects of their medical history. [Source]
[Spine-chilling:
centralised “spine” of all medical records]
In what would have to be one
of the worst email privacy breaches in Australian history, Macquarie
University’s Alumni office sent every graduate in its database a copy of the
full alumni mailing list. The alumni were not happy that their email addresses,
many of which were clearly identifiable, were released en masse. [Source]
A state contractor working for
the child-support enforcement division has reported a missing desktop computer
that held names, birth dates and Social Security numbers. The theft occurred
the weekend of Oct. 14 from the Denver offices of Affiliated Computer Services
Inc. The computer held information on nearly 1 million recently hired Colorado
employees, which are cross-checked against the state’s child-support
enforcement registry. The computer also holds information on 500,000 people on
the state’s child-support list. The theft is under investigation. [Source] [Source]
Ontario Privacy Chief Investigating Theft of Laptop
Containing Personal Data: The Ontario Science Centre is missing a password-protected laptop
that contained some personal information, including credit card numbers,
related to registration for programs. The center notified the affected members
and reported the Sept. 18 theft to Dr. Ann Cavoukian’s Office, Information and
Privacy Commissioner of Ontario. A spokesman for Cavoukian, Bob Spence, said
the commission is investigating the incident, which also was reported to the
police. [Source]
Breaches Compromise Data of 230,000 at Children’s
Hospital in Akron: A breach of two computer databases at Children’s Hospital in Akron, Ohio
has compromised personal information belonging to approximately 230,000
patients and family members and 12,000 individuals who have made donations to
the hospital. [Source]
[Source]
[Source]
Denver DA Warns of Personal Data Stolen Via LimeWire: The Denver district attorney’s
office is warning that thousands of people could be at risk of having their
personal information stolen if they or someone who uses their computer has
installed the LimeWire file-sharing program. A routine theft investigation at a
Denver apartment turned up tax records, bank account information and on-line
bill paying information for approximately 75 people and businesses across the
country. The information appears to have been stolen from people’s computers
through LimeWire. [Source]
[Source]
T-Mobile Employees’ Data Missing: A laptop computer
holding Social Security numbers (SSNs) of as many as43,000 current and former
T-Mobile USA employees disappeared from a T-Mobile employee’s checked airplane
luggage. T-Mobile has sent letters to everyone whose data were on the computer;
the company is offering them one year of free credit monitoring. [Source]
Minneapolis-St. Paul Area OB Patient Data on Stolen
Computer: A laptop stolen
from the car of an Allina Hospitals and Clinics nurse holds data on
approximately 14,000 individuals who have participated in the obstetric
home-care program since June 2005. [Source]
Stolen Laptop Holds Data on 200 University of
Minnesota Students: A laptop computer stolen from a University of Minnesota faculty member
while traveling in Spain holds personally identifiable student data. The
computer belongs to the art department. In September, the university
acknowledged the theft of two Institute of Technology laptops that held student
data. [Source]
Online identity experts at
Garlik estimate that ID theft will continue to increase. The report indicates
that the increase will be fueled by an uptick in online fraud. Organized
criminal gangs increasingly are using the Internet to steal personal
information to commit fraud, according to criminologists. Currently, more than
100,000 Britons are victims of ID theft – a figure that the report estimates
will double by 2010. [Source]
[Online ID
theft booms as credit levels increase, says study]
The Federal Trade Commission
(FTC) estimates that young adults and college students, between the ages of 18
and 29, have the highest rate of identity theft. An FTC spokeswoman said ID
thieves strike often on college campuses because of the opportunities that
exist to steal personal information. Students frequently leave their bills in
plain view, which gives criminals the opportunity to steal personal
information. The FTC recommends that college students purchase a shredder to
take to school with them. [Source]
Canadians will likely have to
show their health cards or drivers’ licences before being allowed to vote in
the next federal election. The Conservative government on Tuesday introduced
proposed legislation that would require voters to present photo identification
at federal polling stations. “Electoral fraud largely remains an exception, but
that doesn’t mean we can’t improve the system,” Tory House leader Rob Nicholson
told reporters. The proposed changes to the Elections Act would require voters
to either present the ID cards or show two pieces of identification confirming
their addresses. Without such identification, voters will have to legally
attest that they are who they say they are. [Source]
China’s Ministry of Public
Security (MPS) is taking steps to address the problem of duplicated identity
numbers. The 18-digit numbers are assigned to Chinese citizens when they turn
16; each number is supposed to be unique, but it is estimated that 1 million
people have duplicated numbers. Because the numbers are linked to so much of
people’s lives, including bank accounts, education certificates and crime
records, being misidentified can pose serious problems. There have been
complaints of people being unable to apply for driver’s licenses because
someone with the same number has already been granted a license. [Source]
Microsoft is making its
antipiracy check mandatory for Office. The company introduced Office Genuine
Advantage in April as a voluntary way for people to ensure that they only used
licensed copies of the productivity software. As of Friday, Office Online
templates downloaded from within Microsoft Office System 2007 applications will
require validation of the Office software in use. [Source] [Source]
Copyright laws are “out of
date” and must be updated so MP3 player users can make copies of CDs without
breaking the law, according to a think tank. The Institute for Public Policy
Research argues that consumers’ rights should be improved with a “new private
right to copy”. It is also calling on the government to reject demands for the
music copyright term to be extended beyond 50 years. [Source]
A new phishing protection
feature on Firefox 2.0 is tied to a cookie that sends Google data on every Web
site a user visits. The connection between the long-awaited phishing protection
feature and a cookie that feeds Google information has led to privacy
objections. The anti-phishing technique in Firefox 2.0 transmits the URL of each Web site a user
visits to Google. Google says that it will compare the URL with a database of
known fraudulent sites, but Google has not said what else it might do with the
URLs it collects. The feature requires an opt-in, but many Firefox users are
troubled that to use it properly, they must submit to sending Google
information about Web surfing habits. "Phishing Protection" is turned
on by default in Firefox 2. Earlier this year, a federal judge made clear that
there were privacy interests in the collection and disclosure of URLs and
search terms. [Source]
[Firefox,
"Phishing Protection" ]
Security experts have found a
weakness in Internet Explorer 7 that could help crooks mask phishing scams, the
type of attack Microsoft designed the browser to thwart. IE 7, released last
week, allows a Web site to display a pop-up that can contain a spoofed Web
address. An attacker could exploit this weakness to trick people into believing
they are on a trusted Web site when in fact they are viewing a malicious page.
[Source]
A U.S. lawmaker wants the
government to arrest a graduate student for launching a Web site that lets
users create fake boarding passes capable of fooling airport screeners.
Security researcher Christopher Soghoian created the Northwest Airline Boarding
Pass Generator in the hope of spurring Congress to look closely at the nation’s
aviation security policies, which he calls “security theater.” [Source] [Fake Boarding Pass Site
Shut Down] [Christopher
Soghoian's blog] [Fake Boarding Pass Instructions: Bruce Schneier
| Sen. Schumer | Slate Magazine ]
The Indo-Canada Chamber of
Commerce organized an outsourcing panel discussion in Toronto to explore
Canadian companies’ use of business process outsourcing (BPO). Hiring companies
to handle payroll, human resources and other business functions is a rising
trend in Canada. Panelists said India most often is the recipient of Canadian
companies’ information technology and business functions. Because of the demand
in India, large outsourcing firms there are turning to outsourcing operations
in Malaysia and the Philippines, where costs are lower. In the past 18 months,
Canadian companies have warmed to the idea of outsourcing, according to an
industry group spokesman. Canada’s privacy commissioner requires companies to
inform customers that they are outsourcing functions; to ensure that the BPO
firm has adequate data security measures; and to include contract language that
makes it clear that Canadian firms own the data. [Source]
The Center for Digital
Democracy and the U.S. Public Interest Research Group filed a complaint with
the Federal Trade Commission (FTC), arguing that many companies do not
adequately disclose their data collection and use policies. The complaint asks
the FTC to investigate companies for targeting advertisements to users based on
their Web surfing habits and demographics. The complaint singles out
Microsoft’s new adCenter. Microsoft said the company carefully protects the
privacy of its users and clearly explains its privacy practices and policies
“across all of our online services and all of our advertising products.” [Source] [Source]
[50-page
complaint] [Source]
[Source]
The Hong Kong Independent Police
Complaints Council’s leak of personal data online in March breached data
protection requirements, Privacy Commissioner Roderick Woo says, adding the
council has complied fully with his enforcement notice. The Security Bureau
said all necessary support will be offered to the council and its secretariat
in taking forward the follow-up and remedial measures. [Source]
Law Commission president Sir
Geoffrey Palmer said the four-stage privacy review will include a “high- level
policy overview to assess privacy values, changes in technology, international
trends, and their implications for New Zealand civil, criminal and statute
law.” The commission also will review New Zealand’s civil law remedies and
criminal prosecution of privacy invasions. A similar privacy review is under
way in Australia. [Source]
The American Civil Liberties
Union has dropped a three-year-old lawsuit challenging the constitutionality of
the USA Patriot Act, months after Congress rewrote parts of the law. The ACLU
said Friday it is withdrawing the lawsuit because of “improvements to the law.”
[Source]
Ponemon Institute chairman
Larry Ponemon has come out in defense of Hewlett-Packard’s (HP) use of
“pretexting” to track confidential information leaks from the board stating
Sarbanes-Oxley requirements are the root cause of the problem. Ponemon defended
HP’s use of pretexting, claiming the burdens of Sarbanes-Oxley on the board mean
they have to be “extremely diligent” about locating and finding leaks. He said
such investigative techniques are widespread. Ponemon admits the company
“really stuffed up” by failing to understand the tactics used by private
investigators straddling the “unethical practice” of pretexting. [Source]
California Gov. Arnold
Schwarzenegger’s re-election team has created a massive computer storehouse of
data on personal buying habits and voter records to scout up likely supporters.
Campaign officials say the operation, run in cooperation with the state
Republican Party, is the largest of its kind in any state, at any time. [Source]
An external security advisory
committee reporting to the U.S. Department of Homeland Security has produced a highlight
critical report advising against the use of RFID technology in
government documents. But the scathing analysis remains stuck in limbo, as
a draft report, while the government pushes ahead with plans to include RFID
tags in everything from passport and diving licences to library cards. The Data
Privacy and Integrity Advisory Committee of the DHS concludes that RFID chips
are useful in inventory management but aren’t suitable for human
identification, where privacy issues remain a concern. Using RFID tags to
identify miners or firefighters more quickly may be a sensible use the
technology. Where the technology falls down is where it’s used to verify
identity, where the experts reckon it offers little advantage over previous
technology while creating the possibility that data held on RFID chips might be
intercepted by undesirables. “RFID appears to offer little benefit when compared
to the consequences it brings for privacy and data integrity. Instead, it
increases risks to personal privacy and security, with no commensurate benefit
for performance or national security,” the report states. The experts advise
that “RFID be disfavored for identifying and tracking human beings. When DHS
does choose to use RFID to identify and track individuals, we recommend the
implementation of the specific security and privacy safeguards”. The draft
report was criticised by the RFID lobby when it came out in summer. Civil
liberties group CDT is also critical of the report because of its failure to
recognize the reality that RFID technology is already widely deployed. The
committee needs to produce suggestions on how the RFID-chips can be more securely
deployed instead of advising government to avoid the technology. [Source] [Report]
[Source]
[Department of Homeland
Security Data Privacy and Integrity Advisory Committee: The Use of RFID for
Human Identification] [Background
(EPIC) ]
Academic researchers have
found that the new RFID chip-equipped credit cards can transmit sensitive data
unencrypted. With the help of an inexpensively-built device, researchers at the
University of Massachusetts, Amherst, were able to read a card through the
envelope in which it was sent; in some cases, the cardholder’s name, card
number and expiration date were readable in plaintext. The cards are widely
advertised for their convenience of being “no-swipe;” users simply wave the
card in front of readers. Some of the companies’ ads imply the data on the
cards are encrypted. Tests on 20 cards from Visa, MasterCard and American
Express found otherwise. The cards can be read through wallets and through
clothing. The card issuers maintain that other security measures would prevent
the RFID payment system from abuse. The study has been criticized for using a
small sample. [Source]
[Source]
[Research
Paper: Vulnerabilities in First-Generation RFID-enabled Credit Cards]
Panelists who spoke about
privacy at the RFID Journal LIVE! Europe 2006 delivered the message that the
RFID industry should build privacy safeguards into the technology. An industry
representative – noting that some states in the U.S. are attempting to
legislate RFID controls – stressed that companies need to communicate with the
public more about “what RFID can and cannot do.” The challenge for industry,
according to one panelist, is to convince consumers about the benefits of RFID.
[Source]
The third annual Global Information Security
Workforce Study, sponsored by (ISC)2 and carried out by IDC, found that people
and processes are more critical to information security than technology. IDC’s
Web-based study was drawn from responses of more than 4,000 information
security professionals in 100 countries. The survey includes data on the size
of the global security workforce and salary data. For example, the survey found
that security pros in the UK are earning more than their European counterparts,
but less than U.S. pros. [Source]
[Source]
The surveillance state is
sorting society into pockets of desirable and undesirable people and treating
them accordingly, a major survey by the UK’s privacy guardian, the Information
Commissioner said this week at the launch of the 28th International
Conference of Data Protection and Privacy Commissioners. The democratic
values of equality and freedom are threatened by the creeping advance of
surveillance into all walks of life, according to A Report on
the Surveillance Society, edited by two of the world’s leading thinkers on
the social consequences of surveillance, including work by Canada’s David Lyon.
[Source]
[Press
Release][UK
Information Commissioner site][Full
Study] [Interview
with Richard Thomas]
An AP article highlights a
Virginia-based operation called the Army Web Risk Assessment Cell, which
monitors official and unofficial blogs and other Web sites for anything that
may compromise security. The team scans for official documents, personal
contact information and pictures of weapons or entrances to camps.[Source]
A new federal rule to
standardize minimum requirements for “black boxes” in vehicles wasn’t expected
to be controversial, but it has ignited a firestorm of protests from groups
that largely agree the information collected by the devices improves auto
safety. All U.S. and foreign automakers have asked the National Highway Traffic
Safety Administration to rewrite the rule because they say it’s too vague and
will cost too much to implement. Safety advocates say it doesn’t go far enough.
A NHTSA spokesman said last week the agency will respond to the requests, but
did not say when. If denied by the NHTSA, the petitioners can ask a judge to
block the rule from being implemented. The new rule is set to take effect in
September 2010. Automakers have asked NHTSA to respond quickly -- by March –
because product planning for 2010 models will begin as early as next year. [Source]
AT&T Inc. is introducing a
home monitoring service that includes live video surveillance on a computer or
cell phone, as well as lighting controls and detection sensors for motion,
temperature changes and flooding. The service being launched last week, priced
at $9.95 per month, is compatible with any broadband Internet service. The
cellular feature is limited to mobile phones from Cingular Wireless, and
requires the customer to subscribe to a wireless Internet package costing $10
to $20 a month, on top of voice plan fees. [Source]
Speaking at a recent
conference, CDT executive director Leslie Harris urged government entities to
keep databases of information gathered by motor vehicle departments to verify
individuals’ identities separate from other computer systems. The DMVs are
required to store electronic copies of documents such as birth certificates to
ensure that each individual is issued no more than one license. There is
concern that because of the amount spent on creating the systems for the DMVs
required under the Real ID Act of 2005, state officials could be tempted to use
the information for other purposes to get the most from its spending. Harris
suggested that DHS include privacy protection in their regulations for
implementing the Real ID Act. There is currently no mention of privacy or
security in the Real ID Act.[Source] See also: www.cdt.org/privacy/030131motorvehicle.shtml
Three new state laws go into
effect today to protect New Yorkers from identity theft, which claims millions
of Americans as victims each year. The Security Freeze Law allows
consumers to block access to their credit reports. The Disposal of Personal
Records Law requires businesses to shred, destroy or modify personal
records no longer in use to ensure that no one could gain access to them. And
the Anti-Phishing Act of 2006 bans the deceptive solicitation of
personal information through electronic communication such as e-mail. Phishing
is the act of stealing personal information by luring Internet users to a fake
Web site - a mock Citibank site, for instance - and stealing passwords, Social
Security numbers or other personal information. [Source]
As identity thieves
increasingly use children’s personal information to commit ID theft, Sen.
Hillary Clinton said this week she will add language to her debit card fraud
legislation to require credit card companies to verify the age of new credit
applicants before approving or denying the application. In 2005, as many as
500,000 American children may have been the victims of fraud or identity theft,
according to the Identity Theft Resource Center. [Source]
The Alberta Federation of Labour has updated its
policy on workplace drug and alcohol testing to clearly state that it opposes
mandatory drug testing of employees. AFL president Gil McGowan said the
federation’s last Policy Statement on Workplace Drug and Alcohol Testing was
passed in 2001 and that it was time for an update. “In short, the policy
clearly opposes all forms of employer-imposed drug and alcohol testing,” said
McGowan. “It does so for two reasons. First, it is an unreasonable invasion of
workers’ privacy and in many cases contravenes the human rights code.” He added
that drug and alcohol testing doesn’t make workplaces safer. He pointed to
Alberta government research that shows testing cannot be shown to reduce
work-related injuries. “Our belief is that employers are using drug testing as
a method of exerting control over their workforce, not to make workplaces
safer,” he said. [Source]
--------